Distributed computer systems describe a plurality of computer systems that can communicate with one another via data connections in computer network infrastructures in an organized manner. For example, distributed computer networks are applied in computer network infrastructures that include server client topologies, wherein to some extent confidential data, e.g. customer data or user data, is exchanged between a client and a server and wherein access of third parties to this data must be prevented.
In secured computer network infrastructures, processing computer systems, on which (confidential) data is processed, are secured in a special way. For example, predetermined network ports of the processing computer system can be initially closed so that access or connection establishment to a corresponding processing computer system via network is not possible.
Conventional solutions send predetermined knock signals via network to a processing computer system with network ports closed in the way mentioned above (so-called port-knocking), wherein a predetermined data sequence addresses predetermined network ports of the processing computer system. That data sequence is compared to a predetermined sequence in the processing computer system, with the processing computer system opening one or multiple network ports in the case of success, to permit a connection to be established externally via network.
One risk of those measures is that a processing computer system is thus opened for hackers or non-authorized computer systems manipulating a corresponding port-knocking process. In this way, (manipulative) access to possibly confidential data in the processing computer system by the opened network ports is possible for third parties. Furthermore, a running program is required on one or multiple network ports of the processing computer system for an addressability of services in the opened processing computer system. This running program poses a potential security gap for external attacks via network (e.g. via buffer overflows or so-called denial-of-service attacks).
An explicit authentication of an external computer system directly at a processing computer system within the computer network infrastructure for access can be discarded in conventional solutions since a processing computer system—as described above—will initially not permit any external connection establishment via closed network ports.
On the other hand, addressing of an external computer system, which requires access to a processing computer system, from the processing computer system is often very complicated or even impossible, because the external computer system may be secured per se and is possibly not addressable for connection establishment.
Moreover, most of the time, access to processing computer systems within a computer network infrastructure is effected via the internet or a separate intranet (e.g. for unblocking applications), wherein such accesses are often characterized in that the external computer system accessing the computer network infrastructure (e.g. a computing center) comes from a private access, which does not use a (unambiguous) public IP address. Examples include cascaded connections via a proxy or by so-called NAT/PAT mask methods (NAT=network address translation, PAT=port address translation).
This results in a situation where basically no connection can be initiated from a processing computer system within the computer network infrastructure to the corresponding external computer system because the processing computer system neither knows the exact IP address nor the port of the external computer system due to the masking thereof. Furthermore, the IP address is usually private and cannot directly be used in a routing process. In addition, in communication, it is usually secured behind a firewall.
It could therefore be helpful to enable secured unblocking of external computer systems for communication with secured processing computer systems within a computer network infrastructure by technical measures and nevertheless improve protection from attacks to corresponding computer systems in the computer network infrastructure.